Page last updated at 09:00 GMT, Thursday, 7 August 2008 10:00 UK

Net address bug worse than feared

By Maggie Shiels
Technology reporter, BBC News, Silicon Valley

Computer keyboard, BBC
Attackers could use the loophole to redirect web users to fake sites

A recently found flaw in the internet's addressing system is worse than first feared, says the man who found it.

Dan Kaminsky made his comments when speaking publicly for the first time about his discovery at the Black Hat conference in Las Vegas.

He said fixes for the flaw in the net's Domain Name System (DNS) had focused on web browsers but it could be abused by hackers in many other ways.

"Every network is at risk," he said. "That's what this flaw has shown."

The DNS acts as the internet's address books and helps computers translate the website names people prefer (such as bbc.co.uk) into the numbers computers use (212.58.224.131).

Mr Kaminsky discovered a way for malicious hackers to hijack DNS and re-direct people to fake pages even if they typed in the correct address for a website.

In his talk Mr Kaminsky detailed 15 other ways for the flaw to be exploited.

Via the flaw hi-tech criminals or pranksters could target FTP services, mail servers, spam filters, Telnet and the Secure Socket Layer (SSL) that helps to make web-based transactions more secure.

"There are a ton of different paths that lead to doom," he said.

'Hype'

But the DNS threat was played down by net giant VeriSign which issues many of the security certificates used in SSL. It told BBC News its system was "not vulnerable".

The Silicon Valley company looks after two of the net's 13 DNS root servers. It also controls the computers that contain the master list of domain name suffixes such as .com and .net

Ken Silva, CTO VeriSign
"If there is a silver lining in all of this, it's that users will become more aware and more conscious of who they do business with."

Ken Silva, chief technology officer at Verisign, said: "We have anticipated these flaws in DNS for many years and we have basically engineered around them."

He believed there had been "some hype" around how the DNS flaw will affect consumers. He added that while it was an interesting way to exploit DNS on weak servers, there were other ways to misdirect people that remained.

Mr Silva said he was concerned that people would read too much into the doom and gloom headlines that have surrounded the discovery of the DNS flaw.

"It's been overplayed in a sense. I think it has served to confuse the consumer into believing there is somehow now a way to misdirect them to a wrong site.

"The fact of the matter is that there have been many ways like phishing attacks to misdirect them for a long time and this is just yet another of those ways that will be surgically exploited."

Security gap

Mr Kaminsky kept news of the flaw out of the public domain for months after its discovery to give companies time to patch servers.

Mr Kaminsky said that 75% of Fortune 500 companies have fixed the problem while around 15% have done nothing.

Major vendors like Microsoft, Cisco, Sun Microsystems and others have issued patches to close the security hole.

"The industry has rallied like we've never seen the industry rally before," said Mr Kaminsky.

Student using laptop, BBC
Computer users need to be educated to surf the superhighway more safely

DNS attacks are not new but Mr Kaminsky is credited with discovering a way to link some widely known weaknesses in the system so that the attack now takes seconds instead of days or hours.

"Quite frankly, all the pieces of this have been staring us in the face for decades," said Paul Vixie, president of the Internet Systems Consortium, a non-profit that makes the software run by many of the world's DNS servers.

Mr Silva at VeriSign said even though patches have been put in place, this doesn't mean users can sit back and relax.

"The biggest gap in security rests between the keyboard and the back of the chair," he said.

"The look and feel of a website is not what a consumer should trust. They should trust the security behind that website and do simple things like use more secure passwords and change their password regularly."

Mr Silva said education is fundamental in making the net a safer place.

"We have been trained since we were young to lock the door to our house, our car. We take these sensible security measures in the environment we are functioning in.

"Yet when it comes to computer safety we forget to look both ways before crossing the internet highway."


SEE ALSO
Attacks begin on net address flaw
25 Jul 08 |  Technology
Net address fix foxes web users
10 Jul 08 |  Technology
UK net numbering project starts
26 Nov 07 |  Technology
Fix found for net security flaw
09 Jul 08 |  Technology
To disclose or not to disclose?
22 Jul 08 |  Technology
Home network security scrutinised
16 Feb 07 |  Technology

RELATED INTERNET LINKS
The BBC is not responsible for the content of external internet sites


FEATURES, VIEWS, ANALYSIS
Has China's housing bubble burst?
How the world's oldest clove tree defied an empire
Why Royal Ballet principal Sergei Polunin quit

BBC navigation

BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.

Americas Africa Europe Middle East South Asia Asia Pacific